http://winserverteam.org.uk/blogs/mark/default.aspxSnippets of Windows Server information from <a href="http://www.markwilson.co.uk/blog/">Mark Wilson</a>enCommunityServer 2007 SP2 (Build: 20611.960)http://winserverteam.org.uk/blogs/mark/archive/2007/08/22/how-windows-powershell-exposes-passwords-in-clear-text.aspx#53Thu, 23 Aug 2007 18:23:04 GMT2f64b580-8b3f-461a-8545-1e65ae7cb030:53markwilsonSince I wrote <a href="http://winserverteam.org.uk/controlpanel/blogs/www.markwilson.co.uk/.../how-windows-powershell-exposes-passwords-in-clear-text.htm">the original blog post on this subject</a>, it&#39;s been pointed out to me that <code>get-credential</code> doesn&#39;t actually store the credentials as clear text - <code>get-member</code> shows that the method is actually a secure string. <p>My point is that, regardless of how the credential is stored, it can be retrieved in a human-readable form. I shouldn’t ever be able to say “what is the password?” and read it - what I should be able to say is, “does this hash (based on what I think the password is) match the stored hash for the password?” - that’s something very different (and far more secure in my view).</p> <p>Whether this is actually a bug is questionable (it probably is by design) - unfortunately the only other type of feedback that I can submit to Microsoft is a suggestion - maybe I should “suggest” that this is a poor way in which to handle user credentials and other sensitive data.</p> <p>Mark</p> <img src="http://winserverteam.org.uk/aggbug.aspx?PostID=53" width="1" height="1">